Critical severity9.8NVD Advisory· Published Mar 20, 2018· Updated Jun 17, 2026
CVE-2014-3990
CVE-2014-3990
Description
The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/opencart-ce/opencart-ce/commit/c2aafc823bd85876f5e888f8ebc421069a5e076fnvdIssue TrackingPatchThird Party Advisory
- karmainsecurity.com/KIS-2014-08nvdExploitThird Party Advisory
- packetstormsecurity.com/files/127460/OpenCart-1.5.6.4-PHP-Object-Injection.htmlnvdExploitThird Party AdvisoryVDB Entry
- seclists.org/fulldisclosure/2014/Jul/67nvdExploitMailing ListThird Party Advisory
- www.securityfocus.com/archive/1/532763/100/0/threadednvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/68529nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.